[PHP] Malicious SQL

[Gabe]

Can someone help me understand how people are able to use SQL 
maliciously if you don't protect against it in PHP?  For example, I've 
written a very simple search SQL statement that takes the value of a 
variable for the search criteria ( from a webpage form ).  I don't 
understand how someone could enter an SQL statement that could be 
malicious.  Here's the SQL statement that I run once I have the search 
criteria stored in $strCriteria:

SELECT autoQuesID, fldQuesTitle, fldBody FROM tblFAQ_Question WHERE 
(blnHidden = FALSE AND ((fldBody LIKE '%$strCriteria%') OR (fldQuesTitle 
LIKE '%$strCriteria%')));

I know in general that protecting against someone entering SQL is a must 
.  So I guess I'm just wondering if anyone has any real-world experience 
with how people can take advantage of SQL and forms.

Thanks!
Gabe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php